HyperSec has nurtured what is now known
as the HyperSec Review Methodology over its many years of experience
operating in the field of IT security. The program continues to
guide highly efficient security analyses as it evolves to reflect
the rapidly changing environment in which we work. To ensure the
homogeneity of high standards across all assessments, the HyperSec
Review Methodology is embraced organization-wide.
The methodology specifies a structure for each assessment and
details objectives, approaches and tasks on a number of levels.

APPLICATION REVIEW (CODE-AUDIT).

There are many kinds of network-aware applications. The most common
type we encounter is backed by database server, and has a login
facility to validate a user who can proceed to manipulate data
through a web-based interface. Complex applications involve numerous
systems and interaction with remote servers. They may support many
concurrent user sessions. Application review is an investigation
into all aspects of the applicationís operation. We use techniques
and tools in an attempt to subvert the application into behavior
that is erroneous or insecure.

We find that applications available over the Internet frequently
harbor vulnerabilities and provide a hole through the firewall. It
is easy to make logical, design or implementation errors when
developing applications, and the more complex an application, the
greater the chance that such vulnerabilities will creep in.
Typically, the vulnerabilities that we discover provide an intruder
with the opportunity to manipulate data, crash the application or to
compromise the server.
HyperSec distinguishes two approaches used for application review.
These are summarised in the table.

Approaches

Explanation

Validated User Review

Usually we work with two valid user accounts to see if it is
possible to view or manipulate the other userís data. We also
try to subvert the application such that we gain unauthorised
privileges and, ultimately, access to the underlying operating
system.

Source Access Review

Source Access Review supplements Validated User Review with a
review of the programming source code of the application. We
will also discuss the code with its developers and study design
documentation. This is the most efficient method for discovering
vulnerabilities within applications.

TABLE 1: Application Security Review
Types

The usual starting point is a blind review, where HyperSec have no
knowledge regarding the application prior to review. All aspects of
the applicationís operation are investigated, including:

Enumerating all pages within the application (including
guessing URLs not given);

The first procedure is generally an attempt to
circumvent authentication controls. This may involve:

Brute force testing of user IDís and passwords;

Spoofing a cookie and changing certain parameters (if
the applicationís authentication procedure is based on cookies);

Guessing URLs, in order to verify that all pages are
password protected;

Studying the source code of each web page in order
to obtain information that can be utilized during latter stages of
testing;

Trying to exploit buffer overflow vulnerabilities by
leveraging lack of input validation. This usually involves type and
bounds tests (i.e. supplying different data types and excessively
long input).

The second step consists of tests performed from a
valid test user account. This is to verify that users are permitted
control only over their own data and not that of other users.

Source Access Review could be said to be the final stage. An
analysis of the code focuses on the discovery of common programmatic
hazards as well as specific design or logic errors. Artifacts sought
include buffer overflow points, input validation errors, bad coding
practices, and the use of insecure products as part of the
application. With the source code at hand the application review
becomes more efficient.

If you want to know more about our penetration testing service,
please download the requisition form and send it to
info@hypersec.co.uk

HyperSec is
a trademark of HyperSec Consulting Group UK. All the logos, images,
code and informationare property of his owners. HyperSec
Consulting Group does not approve any illegal practice that
uses information contained within this site, for more information,
please read the EULA of this page.
HyperSec Consulting Group UK.